In another example of how regulators increasing aren’t tolerant with companies that make basic errors that lead to data breaches, the U.S. Federal Trade Commission has come to a multi-million dollar settlement with Equifax Inc. over a 2017 incident that exposed the personal information of some 147 million people.
Equifax has agreed to pay at least $575 million (U.S), and potentially up to $700 million, as part of a global settlement with the FTC, the U.S. Consumer Financial Protection Bureau, and 50 U.S. states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to the breach.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said FTC chair Joe Simons. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The proposed settlement, announced Monday, still has to be approved by a U.S. District Court.
In April, Canada’s federal privacy commissioner Daniel Therrien found that despite spending millions a year on cyber security the company had poor security safeguards; retained information too long; had inadequate consent procedures; suffered from a lack of accountability for Canadians’ information and provided limited protection measures offered to affected individuals after the breach. Information on about 19,000 Canadians was exposed in the breach.
Therrien also complained Equifax Canada didn’t offer Canadian victims the same credit-monitoring protection U.S. victims received, particularly the ability to have a credit freeze placed on their files to ensure a hacker couldn’t play around with their credit rating.
Under changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) the privacy commissioner doesn’t have the power to issue fines for not complying with the law’s obligations to safeguard personal data. Therrien has urged the government several times to give him that power.
The proposed U.S. settlement breaks down like this:
–$300 million to a fund that will provide affected U.S. consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.
–Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.
–$175 million to 48 states, the District of Columbia and Puerto Rico.
–$100 million to the U.S. Consumer Financial Protection Bureau in civil penalties.
In addition to these financial penalties Equifax would also have to implement a comprehensive information security program requiring the company to designate an employee to oversee the information security program; conduct annual assessments of internal and external security risks and implement safeguards; obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements; and ensure service providers that access personal information stored by Equifax also implement adequate data protection safeguards.
Failed to patch
The FTC alleges in its statement that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees.
In fact, Equifax did not discover that its ACIS database was unpatched until July 2017, when its security team detected suspicious traffic on its network. A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months.
The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million U.S. Social Security numbers, and 209,000 payment card numbers and expiration dates.
‘Staggering’ amount of data
“Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures,” according to the complaint. “This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases. In addition, the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.”
The FTC alleges that Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information.
“The size of the recent Equifax settlement should signal the significance of protecting and securing consumer data – and shows that regulators are serious about companies securing the complex and private consumer information they are entrusted with,” noted Justin Fox, director of devops engineering at Mastercard’s NuData Security division. “Even though Equifax is helping individuals recover from this breach, it will take years and for the full scope to be apparent, and the impact is expected to be immense. Organizations must take steps to secure all consumer and employee data, educate employees so they don’t click on phishing emails, and continuously monitor networks for intrusion, 24×7. Most importantly, organizations need to be much more diligent about performing proactive reviews of their systems, networks and software, to discover system and process vulnerabilities quickly, and apply proper mitigating technologies.